border patrol agent indicted
A U.S. Border Patrol agent patrols along the Mexican border near San Diego in 2013. Reuters/Mike Blake

A hacker breached one of the US Customs and Border Patrol's contractors and stole travelers' personal data. Although the US Customs and Border Patrol (CBP) refrained from going into detail about the breach, refusing to mention the name of the contractor, the agency reportedly confirmed that travelers' photos and license plate numbers were accessed by the hacker.

The CBP said that it became aware of the breach on May 31st and that less than 100,000 people are affected by the attack. However, an unnamed US official said that the breach is thought of as a “major incident” within the CBP, The Washington Post reported. According to the anonymous official the data stolen by the hacker involves travelers crossing the Canadian border.

CBP said that its networks remained unaffected by the breach. The agency also said that travelers' passport details or travel document photographs were affected by the breach. The added that none of the stolen data has appeared on the dark web as of yet.

“CBP learned that a subcontractor, in violation of CBP policies and without CBP’s authorization or knowledge, had transferred copies of license plate images and traveler images collected by CBP to the subcontractor’s company network,” the agency said in a statement, TechCrunch reported. “Initial information indicates that the subcontractor violated mandatory security and privacy protocols outlined in their contract.”

Although the CBP refrained mentioning the affected contractor by name, reports speculate that the victim of the malicious attack may have been a firm called Perceptics, which provides license plate reader technology to the CBP. Last month, The Register reported that a hacker going by the pseudonym “Boris Bullet-Dodger” hacked into Perceptics, stole data and put it up on the dark web.

The breach has raised alarms in Washington, with several lawmakers in Congress calling for a restriction on the government's recent expansion of data collection and surveillance powers.

“If the government collects sensitive information about Americans, it is responsible for protecting it — and that’s just as true if it contracts with a private company,” Sen. Ron Wyden said in a statement, The Post reported. “Anyone whose information was compromised should be notified by Customs, and the government needs to explain exactly how it intends to prevent this kind of breach from happening in the future.”

“This breach comes just as CBP seeks to expand its massive face recognition apparatus and collection of sensitive information from travelers, including license plate information and social media identifiers,” ACLU senior counsel Neema Singh Guliani said. "This incident further underscores the need to put the brakes on these efforts and for Congress to investigate the agency’s data practices. The best way to avoid breaches of sensitive personal data is not to collect and retain it in the first place.”